How can SQL injection vulnerabilities be mitigated when using user input in SQL queries in PHP?
SQL injection vulnerabilities can be mitigated by using prepared statements with parameterized queries in PHP. This approach ensures that user input is treated as data rather than executable SQL code, thus preventing malicious SQL injection attacks.
// Establish a database connection
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");
// Prepare a SQL statement with a parameterized query
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
// Bind the user input to the parameter
$username = $_POST['username'];
$stmt->bindParam(':username', $username);
// Execute the prepared statement
$stmt->execute();
// Fetch the results
$results = $stmt->fetchAll();